Data Issues – Technology Transactions Todayhttps://www.techtransactionstoday.com
Insights, tips and trends in technology transactions from the country’s leading technology lawyersMon, 18 Feb 2019 09:00:39 +0000en-UShourly1https://wordpress.org/?v=4.9.9https://emergingcompanyexchange.foleylardnerblogs.com/wp-content/uploads/sites/5/2018/04/cropped-foley-site-icon-32x32.pngData Issues – Technology Transactions Todayhttps://www.techtransactionstoday.com
3232Is California’s Consumer Privacy Act of 2018 going to be GDPR version 2?https://www.techtransactionstoday.com/2018/09/06/is-californias-consumer-privacy-act-of-2018-going-to-be-gdpr-version-2/
https://www.techtransactionstoday.com/2018/09/06/is-californias-consumer-privacy-act-of-2018-going-to-be-gdpr-version-2/#respondThu, 06 Sep 2018 08:00:40 +0000https://www.techtransactionstoday.com/?p=2374
While there is time before the California Consumer Privacy Act of 2018 comes into effect, which is January 1, 2020, businesses need to start planning now for compliance. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business meeting revenue...… Continue reading this entry]]>

While there is time before the California Consumer Privacy Act of 2018 comes into effect, which is January 1, 2020, businesses need to start planning now for compliance. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses. It covers any business meeting revenue or data collection volume triggers and that collects or sells information about California residents.

Applicability to businesses

The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (“GDPR”).

The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) has annual gross revenues in excess of $25,000,000; (b) annually processes the personal information of 50,000 or more California residents, households, or devices; or (c) derives at least half of its gross revenue from the sale of personal information. Thus, CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.

Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (the “CMIA”) or HIPAA; the sale of information from or to a consumer reporting agency if the information is used as part of a consumer report and used in compliance with the Fair Credit Reporting Act (“FCRA”); and only to the extent CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (“GLBA”) or to the Driver’s Privacy Protection Act (“DPPA”).

Requirements of CCPA

As currently enacted, the law dramatically increases consumers’ rights of access and control over how their personal information is collected, used, sold and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:

Right to Personal Information Collected by Businesses: Consumers will have the right (subject to identity verification) to obtain a record of the personal information that a business collects about them, as well as information about the sources and business or commercial purposes of that personal information.

Right to Erase Personal Information: Consumers can require (subject to identity verification and limited exceptions) a business and its service providers to delete any personal information the business has about the consumer once the personal information is no longer needed.

Right of Opt-Out: Consumers will have the right to opt-out of any future sale of their personal information through at least a “Do Not Sell My Personal Information,” link on the business’ home page.

Opt-In Requirement for Minors: Businesses are prohibited from selling the personal information of consumers whom the business has actual knowledge are under 16 years old without theirs or their parents’ opt-in consent.

Prohibits Waiver and Retaliation by Businesses: Waivers of consumer rights and remedies under CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as by denying goods or services to the consumer or charging or suggesting different prices or rates for goods and services.

Increased Transparency: Businesses will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.

Enforcement

Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules and other regulations necessary to establish compliance or in furtherance of CCPA’s purposes. Technology companies have strongly opposed CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.

The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.

The CCPA also provides a private right of action for consumers whose nonencrypted and nonredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of CCPA could be the basis to assert class actions.

Impact on businesses

Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation of the CCPA’s implementation:

Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is used and shared with third parties.

Review internal policies and procedures to be able to appropriately respond to consumer’s requests for access, deletion, or information related to the sale or disclosure of their personal information.

Closely monitor guidance from the California Attorney General regarding appropriate verification measures for consumer requests. The CCPA describes that a business must associate information provided by a consumer with information it has collected, sold, or disclosed about a consumer to verify their identity, but instructs the California Attorney General to solicit public comments in order to promulgate further regulations in this area.

Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information.

Review and update privacy policies to comply with the disclosure requirements of the CCPA when it becomes necessary to do so.

Begin preparing training materials and planning for training all personnel who are responsible for handling personal information consumer inquiries.

Update contracts with third parties and service providers to whom consumer personal information is conveyed to ensure that the vendor can appropriately respond to consumer requests to delete information. Consider using third party audits to ensure compliance with CCPA and conducting those audits through legal counsel to support the position the results are covered by the attorney-client privilege.

]]>https://www.techtransactionstoday.com/2018/09/06/is-californias-consumer-privacy-act-of-2018-going-to-be-gdpr-version-2/feed/0Court Rules Drivers Lack Standing to Pursue Claims Against Uber Because Data Breach Did Not Include Drivers’ Social Security Numbershttps://www.techtransactionstoday.com/2018/08/01/court-rules-drivers-lack-standing-to-pursue-claims-against-uber-because-data-breach-did-not-include-drivers-social-security-numbers/
https://www.techtransactionstoday.com/2018/08/01/court-rules-drivers-lack-standing-to-pursue-claims-against-uber-because-data-breach-did-not-include-drivers-social-security-numbers/#respondWed, 01 Aug 2018 08:00:16 +0000https://www.techtransactionstoday.com/?p=2366
California companies housing their drivers’ personal information may feel less exposed to liability in light of the Northern District of California’s holding in Antman v. Uber Technologies, Inc. in May.[1] The trial court in Antman found that Uber was not liable to its drivers after hackers illicitly accessed their personal information through Uber’s computer system.[2]...… Continue reading this entry]]>

California companies housing their drivers’ personal information may feel less exposed to liability in light of the Northern District of California’s holding in Antman v. Uber Technologies, Inc. in May.[1] The trial court in Antman found that Uber was not liable to its drivers after hackers illicitly accessed their personal information through Uber’s computer system.[2]

Plaintiffs Sasha Antman and Gustave Link alleged that the company failed to protect their personal information, as well as that of a putative class of individuals similarly situated. Plaintiffs stated claims for violation of California’s Unfair Competition Law (UCL), negligence, and breach of implied contract.[3][4]

According to the allegations, Uber drivers’ personal information (including names, driver’s license numbers, and bank information) was compromised in two separate incidents in May 2014 and October 2016.[5] Notably, there was no allegation that the Social Security numbers of the putative class were compromised. The putative class alleged injuries including the time and expense related to monitoring their financial accounts for fraud, an increased risk of fraud and identity theft, and invasion of privacy.[6] Antman individually alleged that an unknown person had used his personal information to apply for a credit card in or around June 2014.[7]

The court rejected the suggestion that Uber’s failure to protect plaintiffs’ personal information was an injury per se sufficient to confer standing.[8] Judge Beeler dismissed plaintiffs’ case on two grounds: (1) failure to establish Article III standing; and (2) failure to show injury and causation sufficient to defeat Uber’s Rule 12(b)(6) motion to dismiss.[9] The court determined that plaintiffs lacked standing because they had not adequately established injury.[10] In doing so, the court distinguished the action from another case in which the plaintiffs’ Social Security numbers were compromised.[11] Without Social Security numbers, the court reasoned, the “disclosed information does not plausibly amount to a credible threat of identity theft that risks real, immediate injury.”[12]

The trial court further held that plaintiffs failed to establish causation. The court reiterated that Article III requires the injury be “trace[able] to the challenged action of the defendant” and not the “result [of] the independent action of some third party …”[13] Because a person could not plausibly apply for a credit card without a Social Security number—which plaintiffs did not allege was accessed in the breach—there was nothing to suggest that Uber caused Antman’s injuries.[14]

The court also took care to rebut plaintiffs’ claim that Uber’s “pattern of dishonesty means that it cannot be trusted.”[15] Rather, allegations regarding other lawsuits, and what they reveal about the company and its business practices, “do not affect the court’s inquiry.”[16] Because plaintiffs failed to show personal injury or plausible risk of immediate harm, they failed to establish Article III standing.

Having dismissed two earlier versions of the complaint, the court dismissed the latest version without leave to amend, closing the door on any subsequent attempts by the plaintiffs to allege adequate proof of injury and causation.[17] Plaintiffs filed a notice of appeal on June 8, 2018, to the Ninth Circuit Court of Appeals, which issued an order on July 19 releasing the case from the court’s mediation program.[18]

[10]Id. at *9. The Court had earlier dismissed plaintiffs’ First and Second Amended Complaints for lack of standing. Id. at *1; see also Antman v. Uber Techs., Inc., No. 3:15-cv-01175-LB, 2015 WL 6123054, at *9-12.

]]>https://www.techtransactionstoday.com/2018/08/01/court-rules-drivers-lack-standing-to-pursue-claims-against-uber-because-data-breach-did-not-include-drivers-social-security-numbers/feed/0Integrating Information Security Into the Technology Development Processhttps://www.techtransactionstoday.com/2018/07/23/2360/
https://www.techtransactionstoday.com/2018/07/23/2360/#respondMon, 23 Jul 2018 08:00:49 +0000https://www.techtransactionstoday.com/?p=2360
In a recent blog post, I discussed limitation of liability clauses in technology contracts. Given the favorable response to that post, I thought it would be of interest to discuss another misunderstood and frequently neglected area of technology contracting: information security warranties. Let me be more specific. Most well-drafted technology agreements contain specific warranties and...… Continue reading this entry]]>

In a recent blog post, I discussed limitation of liability clauses in technology contracts. Given the favorable response to that post, I thought it would be of interest to discuss another misunderstood and frequently neglected area of technology contracting: information security warranties. Let me be more specific. Most well-drafted technology agreements contain specific warranties and other protections relating to the protection and security of data shared with the vendor. While clearly important, contract protections should not stop there. Rather, it is becoming a contracting best practice in the industry to also include one or more warranties specifically directed at ensuring the vendor has integrated information security into the overall development of its products. It is this area that is frequently overlooked and too often misunderstood.

These types of warranties try to address the problem of thoroughness in addressing information security whether the vendor is attempting to “bolt-on” security measures to an already developed product or has developed the product with information security in mind from the time of inception. In addition, these types of warranties are directed at ensuring the vendor hasn’t incorporated orphaned code into its products.

Those of you who read this blog regularly will recall I previously provided a checklist of information security warranties, including the kind of warranties we are discussing today. Here, however, we will talk about the specifics of those warranties in detail.

Securing Development Warranties

In the current technology environment, it is critical to ensure that vendors commit to a development environment for their products that represents best practices for assessing and testing security. The linchpin of this protection turns on conducting an appropriate code review. To that end, the warranty generally requires the vendor to use a third-party nationally recognized auditor specializing in code reviews to conduct the security assessments or allows the vendor to conduct its own security assessments, provided that the personnel performing the review are experienced in conducting reviews of this kind, hold an industry-recognized certification in security assessments for software (e.g., Certified Secure Software Lifecycle Professional [CSSLP] or GIAC Secure Software Programmer certification), follow industry standard best practices, and promptly share the results for the customer’s review and approval.

Consider one potential way this might be written as a contract warranty:

Secure Development. With regard to any Product, Vendor warrants it will use industry best practices for secure coding (e.g., the CERT Secure Coding Standards, ISO 27034, etc.), including integrating security measures into the development process, conducting comprehensive security testing of al software and other coding, and using automated code vulnerability assessment tools. Testing should include, where appropriate, but not be limited to, cross-site scripting, parameter tampering, hidden field manipulation, backdoors and debug options, stealth commanding, application buffer overflow, cookie poisoning, third-party misconfigurations, HTTP attacks, SQL injection, and other known vulnerabilities. Vendor will document all identified vulnerabilities and their remediation. Vendor shall make such documentation available to the Customer in the form of a written report.

Known Vulnerability Warranties

Closely associated with the secure development warranty, described above, is a warranty that the vendor has complied with specified standards and testing procedures designed to assess the overall security/vulnerability of its products. At its most basic level, this is an obligation to check the product against the most common security vulnerabilities by recognized organizations in the security industry (e.g., OWASP Top 10 vulnerabilities; CWE/SANS Top 25 vulnerabilities). This can be accomplished by testing the product on a routine basis for any vulnerability or exposure identified in MITRE’s Common Vulnerabilities and Exposures (CVE), located at http://cve.mitre.org, and by having a Common Vulnerability Scoring System (CVSS) score of, say, 4 or higher. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9. Vulnerabilities are labeled “Medium” severity if they have a base CVSS score of 4.0-6.9. Vulnerabilities are labeled “High” severity if they have a CVSS base score of 7.0-10.0. Depending on the engagement, the customer can select how much risk it is willing to take by setting the acceptable vulnerability score.

Here is an example of a warranty drafted to address known vulnerability testing:

Known Vulnerability Testing. In addition to all other security obligations under this Agreement, Vendor represents that it shall test all Products, including all embedded third-party software, in accordance with best industry practices, but in no event on less than a quarterly basis, for any vulnerability or exposure identified in MITRE’s Common Vulnerabilities and Exposures (CVE), located at http://cve.mitre.org, and having a Common Vulnerability Scoring System (CVSS) score of 6 or higher (as published by the NIST National Vulnerability Database, located at http://nvd.nist.gov). In the event such a vulnerability with a CVSS score is identified, Vendor will, at no additional charge to Customer, promptly remediate the vulnerability. Vendor shall keep complete and accurate records of its testing and remediation activities under this Section.

Orphaned/abandoned code warranties

As noted above, the other key area for security warranties is protection from orphaned or abandoned code. In particular, the use of open-source software in commercial products is now widespread. Many commercial products include dozens of such applications. Security researchers have found that orphaned code (i.e., code that is no longer actively supported or under development) can pose a serious security threat. In some instances, vendors are using code that has not been updated in years. To address this area of vulnerability, vendors should be required to warrant that no such outdated, abandoned, or orphaned code is present in their products.

A potential warranty for this type of orphaned software is as follows:

No Orphan Code/End-of-Life Products. Vendor represents and warrants that (i) no programming furnished to Customer will contain any orphaned code, as defined below, and that (ii) no hardware or software products, including operating systems and embedded software, or any component thereof, contain any hardware or software designated prior to the Effective Date as End-of-Life (i.e., no longer supported and updated by the manufacturer or licensor). For purposes of this Section, orphaned code means software that (a) has had more than one year since its last release or update; (b) does not have an identified individual responsible for supporting and maintaining the code; or (c) the identified individual’s contact information is no longer valid.

Of course, the foregoing potential warranties are merely possibilities. Specific engagements may require greater or lesser levels of protection. What these examples do provide, however, is insight into how common security standards may be incorporated into contract language to ensure vendors furnish products with appropriate information security protections.

]]>https://www.techtransactionstoday.com/2018/07/23/2360/feed/0California Moves Towards GDPR-like Privacy Protections in the California Consumer Privacy Act of 2018https://www.techtransactionstoday.com/2018/07/03/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018/
https://www.techtransactionstoday.com/2018/07/03/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018/#respondTue, 03 Jul 2018 08:00:35 +0000https://www.techtransactionstoday.com/?p=2343
CCPA At-A-Glance The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice, and financial obligations on affected businesses. CCPA was enacted to protect the privacy of California consumers and has some similar characteristics to the EU’s General Data Protection Regulation (GDPR), including a new and very...… Continue reading this entry]]>

CCPA At-A-Glance

The new law gives consumers broad rights to access and control of their personal information and imposes technical, notice, and financial obligations on affected businesses.

CCPA was enacted to protect the privacy of California consumers and has some similar characteristics to the EU’s General Data Protection Regulation (GDPR), including a new and very broad definition of what is included in protected personal information. Affected businesses are for-profit entities doing business in California that meet certain revenue or data collection volume requirements.

CCPA is effective January 1, 2020, and will apply to personal information collected before and after the effective date.

Businesses will need to modify operations, policies and procedures to comply with California residents’ rights to information about and control of their personal information.

Given the requirement for the California Attorney General to develop implementing regulations, and the strong and open opposition to the CCPA by technology companies, the final compliance requirements will likely evolve considerably between now and January 1, 2020.

On June 28, 2018, California passed AB 375, the California Consumer Privacy Act of 2018 (CCPA), which will become effective January 1, 2020. Introduced just a week earlier in an effort to defeat a much stricter privacy-focused ballot initiative, the CCPA is a sweeping new privacy law that was passed unanimously by the legislature with just minutes left to withdraw the ballot initiative from the November ballot. The CCPA provides California consumers with significantly expanded rights as to the collection and use of their personal information by businesses.

Applicability to Businesses

New Data Types Included as Personal Information

The CCPA broadly defines personal information to cover types of information not traditionally considered personal information in the United States, including:

IP addresses

email addresses

records of purchasing or consuming histories or tendencies

browsing history and search history

geolocation data

audio, visual, or thermal information

professional or employment information

education information

The CCPA uses a much broader definition of personal information than is generally used in privacy statutes in the United States, including the definition in California’s own data breach notification statute. Personal information under the CCPA includes “information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.” With this broad definition, the types of information protected under the CCPA are much closer to those found in the European Union’s General Data Protection Regulation (GDPR).

The law applies to for-profit entities that do business in California and have a role in determining the means and purposes of the processing of personal information and which either: (a) have annual gross revenues in excess of $25,000,000; (b) annually process the personal information of 50,000 or more California residents, households, or devices; or (c) derive at least half of their gross revenue from the sale of personal information. Thus, the CCPA’s applicability is based on the corporate structure, total revenue and source of revenue, and the amount of personal information processed by a business – regardless of its actual location. The CCPA does not define “households,” and the definition of “devices” is not limited to devices owned by California residents. Accordingly, the law may impact businesses with only loose ties to California.

Despite the apparent broad applicability of the CCPA, it specifically excludes personal information covered by other federal and state laws, such as: health information protected by California’s Confidentiality of Medical Information Act (CMIA) or HIPAA; the sale of information from or to a consumer reporting agency, if the information is used as part of a consumer report and in compliance with the Fair Credit Reporting Act (FCRA); and only to the extent the CCPA is in conflict, information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA) or the Driver’s Privacy Protection Act (DPPA).

Requirements of the CCPA

As currently enacted, the law dramatically increases consumers’ rights of access to and control over how their personal information is collected, used, sold, and disclosed. Assuming the law is not revised, the CCPA would provide consumers with the following:

Right to Personal Information Collected by Businesses – Consumers will have the right (subject to identity verification) to obtain a record of the personal information that a business collects about them, as well as information about the sources of, and the business or commercial purposes of, that personal information.

Right to Erase Personal Information – Consumers can require (subject to identity verification and limited exceptions) a business and its service providers to delete any personal information the business has about the consumer once the information is no longer needed.

Right of Opt-Out – Consumers will have the right to opt-out of any future sale of their personal information through at least a “Do Not Sell My Personal Information” link on a business’ home page.

Opt-In Requirement for Minors – Businesses are prohibited from selling the personal information of consumers whom the businesses have actual knowledge are under 16 years old and for whom they do not have appropriate opt-in consent.

Prohibits Waiver and Retaliation by Businesses – Waivers of consumer rights and remedies under the CCPA are unenforceable and businesses cannot discriminate against consumers for exercising their rights under the CCPA, such as by denying goods or services to the consumer or by charging or suggesting different prices or rates for goods and services.

Increased Transparency – Businesses will need to be substantially more transparent about their collection and use of personal information and must provide consumers with notice (in their privacy policies) of their new rights under the CCPA.

Enforcement

Prior to the law taking effect, the CCPA requires the Attorney General to adopt implementing regulations, including the establishment of exceptions, procedures, rules, and other regulations necessary to establish compliance with the CCPA’s purposes. Technology companies have strongly opposed the CCPA and may be expected to take action to affect the implementing regulations. Compliance requirements are expected to evolve between now and the effective date, warranting continued monitoring.

The Attorney General will enforce compliance with the CCPA. Businesses that fail to cure alleged violations within 30 days will be subject to a penalty of up to $7,500 per violation.

The CCPA also provides a private right of action for consumers whose unencrypted and unredacted personal information (as more narrowly defined under California’s data breach notification law) was subject to theft or other unauthorized disclosure as a result of a business’ failure to reasonably protect the consumers’ personal information as required under California’s data breach notification law. Subject to certain procedural requirements, each such incident will allow consumers to recover the greater of actual damages or up to $750 per incident per consumer. As with other privacy statutes, claimed violations of the CCPA could be the basis to assert class actions.

Similarities to GDPR

California’s passage of the CCPA is part of a growing trend towards increased data protection for consumers. The CCPA comes on the heels of the May 25, 2018, effective date of the GDPR, which provides expansive privacy and personal data protection rights for individuals in the European Union. While the GDPR is broader in many aspects than the CCPA, there are significant overlaps in consumer rights and business obligations. For example, both the CCPA and the GDPR provide consumers with the right to be forgotten and, the right to access their personal information, as well as require that businesses be transparent in their processing of personal information. However, the GDPR requires consumer’s to opt-in to some uses of their personal information while the CCPA maintains the opt-out approach generally used in the United States. The CCPA also lacks the relatively proscriptive requirements for security and vendor agreements found in the GDPR.

Nonetheless, there are significant similarities and overlaps between the GDPR and the CCPA. These similarities may make compliance with the CCPA easier for businesses that have already taken measures to comply with the GDPR. Businesses subject to the GDPR should review their handling of personal information to determine whether it satisfies the requirements of the CCPA. Organizations that have already taken steps to fully comply with GDPR only for individuals in the European Union may have to extend many of the protections to California consumers. Organizations that were not fully compliant with the requirements of the GDPR may wish to review and prioritize their schedule to ensure compliance with the requirements of the CCPA before January 1, 2020. Organizations that may not have been previously subject to the GDPR should evaluate if they will now be subject to the CCPA and should start planning their compliance well ahead of its effective date.

Impact on Businesses

Although the CCPA will not go into effect until 2020, it will take time for impacted businesses to comply with all of its provisions. Businesses subject to the CCPA should consider the following actions in preparation for the CCPA’s implementation:

Conduct a data mapping of the personal information collected by the business to understand the scope of personal information collected and how it is used and shared with third parties.

Review internal policies and procedures to be able to appropriately respond to consumer requests for access to, deletion from, or information related to the sale or disclosure of their personal information.

Closely monitor guidance from the California Attorney General regarding appropriate verification measures for consumer requests. The CCPA describes that a business must associate information provided by a consumer with information it has collected, sold, or disclosed about a consumer to verify his or her identity, but instructs the California Attorney General to solicit public comments in order to promulgate further regulations in this area.

Begin the planning and implementation of technological improvements to their information systems that may be necessary to process consumer requests and their rights to opt-out of the sale of personal information.

Review and update privacy policies to comply with the disclosure requirements of the CCPA when it becomes necessary to do so.

Begin preparing training materials and planning for training all personnel who are responsible for handling consumer personal information inquiries.

Update contracts with third parties and service providers to whom consumer personal information is conveyed to ensure that the vendor can appropriately respond to consumer requests to delete information. Consider using third party audits to ensure compliance with the CCPA and conducting those audits through legal counsel to support the position that the results are covered by the attorney-client privilege.

Looking Forward

While the CCPA was largely applauded in a news conference held immediately following its signature by Gov. Jerry Brown, it has also met with some criticism. Nicole Ozer, technology and civil liberties director of the ACLU, decried that the CCPA was hastily drafted and that it utterly failed to provide the privacy protections that consumers demand and deserve. She further commented that the law will need to be revised to include effective privacy protections against rampant misuse of personal information, stronger provisions for Californians to enforce their rights, and protections against retaliation by businesses against California consumers who exercise their rights. On the other hand, some California businesses considered the CCPA too restrictive, but did not try to oppose it because the competing ballot initiative would, if passed, have imposed significantly more restrictions on the use of personal information and been more difficult to change in the future than the CCPA as enacted by legislators. As a result, the CCPA is likely to undergo revisions before it becomes effective on January 1, 2020. The law is also subject to public participation in implementing regulations required to be adopted by the Attorney General, including potentially additional categories of personal information and specific requirements for handling consumers’ opt-out rights. Foley attorneys will continue to monitor the CCPA and any amendments and implementing regulations.

For questions or additional information on this topic, please contact any of the following legal news authors or additional partners within Foley’s Cybersecurity team:

Additional Cybersecurity Team Partners

]]>https://www.techtransactionstoday.com/2018/07/03/california-moves-towards-gdpr-like-privacy-protections-in-the-california-consumer-privacy-act-of-2018/feed/0GDPR and U.S. eDiscovery - Who Will Win the Game of Chickenhttps://www.techtransactionstoday.com/2018/06/26/gdpr-and-u-s-ediscovery-who-will-win-the-game-of-chicken/
https://www.techtransactionstoday.com/2018/06/26/gdpr-and-u-s-ediscovery-who-will-win-the-game-of-chicken/#respondTue, 26 Jun 2018 08:00:47 +0000https://www.techtransactionstoday.com/?p=2325
Well, it has now happened. The European Union’s new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the lead up to G-Day, commentators published a voluminous amount of materials in legal journals, newsletters, and blog posts about what GDPR is, what it is supposed to accomplish, how to comply with...… Continue reading this entry]]>

Well, it has now happened. The European Union’s new General Data Protection Regulation (GDPR) went into effect on May 25, 2018. In the lead up to G-Day, commentators published a voluminous amount of materials in legal journals, newsletters, and blog posts about what GDPR is, what it is supposed to accomplish, how to comply with it, the potential penalties for not complying, and the challenges that U.S. companies are facing in trying to re-work their entire data maintenance practices to keep pace with the GDPR’s requirements. One topic, however, that has gotten scant attention is what the GDPR will mean for litigators seeking discovery from Europe. Well, here is a prediction – U.S. courts will have little patience for GDPR compliance requirements if the result is a failure to preserve electronically stored information (ESI), a substantial delay in producing requested documents and data, or an outright refusal to produce the materials requested.

First, let’s examine – very briefly – what GDPR is and what it requires. (For more detailed descriptions, please refer to the aforementioned materials that have been published in recent months.) Simply put, the GDPR is a mandatory regulation designed to protect an individual’s privacy by limiting how electronic information about that person may be maintained, processed, used, or transferred. The GDPR is applicable in all 28 EU member states, as well as in the slightly wider European Economic Area (EEA), which includes non-EU member states such as Iceland and Norway. Even if a company is not physically located in those countries but provides goods and services to individuals located in the EU/EEA on a regular enough basis, then the GDPR is applicable to that entity. So, yes – the GDPR applies equally to a business based in Paris, France selling over the internet to individuals in Italy, as well as a business located in Paris, Texas, offering goods or services to people located in in Ireland. Moreover – and probably most importantly in terms of ediscovery – the GDPR is applicable to employers of people located in the EU/EEA or entities that maintain electronic records of a European company’s employees.

Two things make GDPR compliance – or the failure to comply – particularly daunting. First is the regulation’s definition of “personal data” and the rights given to an individual to control the electronic data containing such personal information. More on this in a moment. . . . Second is the financial “bite” that EU regulators put into the GDPR, a bite which far exceeds any potential fines that theoretically existed under previous EU or individual country rules. Specifically, the GDPR allows for administrative fines for failure to comply with the GDPR’s data transfer provisions of up to € 20 million (about $23.5 million) or 4% of the violating company’s annual worldwide revenue, whichever is higher – and that revenue amount can be calculated across the violating company’s corporate worldwide parents, subsidiaries, and other affiliates. GDPR, Art. 83(5). Granted, fines at the highest level are reserved for the most egregious situations, but there can be no question that it was the potential threat of these hefty fines that caught the attention of companies throughout the world and led to the enormous efforts over the last year or so to develop GDPR-compliant data policies.

Turning back to the challenges raised by “personal data” under the GDPR, U.S. litigators should understand that the GDPR defines personal data as “any information relating to an identified or identifiable natural person.” GDPR, Art. 4. This definition is much, much broader than what U.S. practitioners typically recognize as sensitive personal information worthy of protection – e.g., a person’s name in conjunction with the person’s social security number, or bank account numbers, or health records. The GDPR’s reference to “any” information includes, at least, the person’s name in conjunction with the person’s email address (business or personal), a physical address or telephone number, or just about anything else that can directly or indirectly identify a specific person. For example, just think of the typical footer people often include at the end of business emails listing the person’s name, company, title, business address, business telephone number, a mobile telephone number, and the person’s email address. Under the GDPR, all of that information constitutes “personal data.” Likewise, the GDPR definition is broad enough to capture an individual’s IP address, which can be found in data logs or other electronic records – information that well could be caught up in ESI discovery requests.

As to an individual’s rights over his/her personal data, the European Commission (EC) explained, in an amicus brief filed to the U.S. Supreme Court last December, that the EC regards “protection of personal data [as] a fundamental right” and that the GDPR is a reflection of the EU’s interest to protect such a right(s).1 The GDPR requires, under certain circumstances, that individuals whose data are being “processed” – e.g., collected, stored or transferred – be provided with explicit and easily understood notice. The GDPR also grants to affected individuals the right to demand to examine that personal data, to correct the data, to erase the data, to object to the collection, use or transfer of the data, and/or the ultimate right to demand to be forgotten.2 There are some exceptions to these rights, including when the data are necessary for “compliance with a legal obligation” the “establishment, exercise or defence of legal claims” or “for purposes of compelling legitimate interests . . . which are not overridden by the interests or rights and freedoms of the data subject.” See, e.g., GDPR, Arts. 6(1)(c) and 49(1) and 49(1)(e). How these provisions will be interpreted remains an open question, but given many European countries’ long-standing distain for the entire concept of U.S. discovery, such language should not be regarded as a certain GDPR “get out of jail free” card. Indeed, the European Commission has already explained that an order from a foreign court to produce documents does not render that order legal under the GDPR and that absent an agreement between countries for mutual legal assistance, such an order could proceed “only if it qualified under Article 49.”3

Now, the GDPR’s personal data protections may offer comfort to individuals who do not wish for their personal information to be sold by one web business to another with the second business using that personal data to engage in a targeted advertisement campaign. Likewise, people get very agitated when – oh, for example – Facebook collects and retains personal data and winds up opening a cyber door to the Cambridge Analyticas of the world or hidden foreign government agents who collect and make use of that data for all sorts of political games and gains. But, let’s think about personal data protection when it comes to a typical – and assumedly non-nefarious – need such as an obligation to adhere to U.S. discovery rules.

As we all know, under the Federal Rules of Civil Procedure, discovery is wide-open and broad (concerns for proportionality notwithstanding), and American lawyers use those procedural mechanisms every day to demand that both opposing parties and non-parties undertake extensive efforts to preserve, collect, and/or produce ESI relevant to claims or defenses in a legal dispute. And while these requests may spark motions to a judge seeking protection because of burden and costs, for the most part, American recipients of preservation notices or document requests comply. They also may seek a protective order so that the information cannot be widely disseminated or examined by just anyone4 . . . but they comply.

Now assume that a U.S. party brings a civil suit against a company located in any of the EU/EEA member countries – let’s say France – or sues a U.S. subsidiary of a French company but seeks documents in discovery “located” at the company’s French parent’s office . . . or even serves a subpoena under Rule 45 on a U.S. subsidiary of a French company requiring the production of documents that are in the possession of the parent French company. And yes, all three of these variations are a possibility.5

Under prevailing U.S. rules, once a defendant either is sued or has reason to believe that litigation is imminent, it is obligated to preserve documents, including all ESI, that is potentially relevant to the claims or defenses raised in the litigation. Thus, a party is obligated to “suspend its routine document retention/destruction policy and put in place a ‘litigation hold’ to ensure the preservation of relevant documents.”6 Likewise, a subpoena recipient is obligated to preserve documents for a sufficiently long enough period of time to allow for collection and production of the documents consistent with the subpoena’s terms.

So, assuming that the defendant in U.S. litigation is a European entity, that company, under U.S. rules, must “immediately” take steps to preserve all documents – hard-copy and electronic – that may be relevant to the case. Such efforts almost inevitably call for the employer at that point to send a “litigation hold” notice to employees/custodians notifying them of the obligation to preserve relevant information. Upon receiving that notice, each recipient, under the terms of the GDPR, has the right to review the material swept up in the preservation effort, including historical ESI that may have been preserved or archived by the employer. Likewise, it could be argued that other people whose “personal data” is contained within the ESI of a document hold recipient has a similar right of review.

The next question is how long it will take to allow those who choose to review their data to complete the task – and possibly raise questions about why certain information is included in the sweep. Will people have a second or third chance to conduct such a review once the data are culled to specific topics and time periods – and then again, before the ESI is actually produced? What about the time it will take to resolve any objections that individuals raise about the use or transfer of the data – even if it is later determined that the objection is not valid? The possibilities for delay and conflict cannot be ignored.

The question that then arises is whether any U.S. court is going to tolerate the complexities and inevitable time delays that will arise when ESI is sought from EU/EEA member state companies – or from companies located elsewhere but which hold personal data about individuals located in those countries. If past is prologue, the answer to that question should be a resounding “no.”

There is nothing new about the tension between the U.S. discovery system and efforts by European countries to limit American lawyers from being able to obtain information in discovery.7As long ago as 1958, the U.S. Supreme Court grappled with how to reconcile an effort to obtain certain Swiss bank records when Swiss penal laws protected those same records. See Société Internationale Pour Participations Industrielles et Commerciales, S.A. v. Rogers, 357 U.S. 197, 212-13 (1958) (reversing dismissal of suit as penalty for failure to produce without first making a willfulness determination, but warning that that significant evidentiary penalties remained possible). In 1987, the Supreme Court weighed in again and stated that in reference to the French “blocking statute” which calls for criminal penalties for the production of economic, commercial, industrial, financial, or technical documents “with a view” to foreign judicial proceedings that, “It is well settled that such statutes do not deprive an American court of the power to order a party subject to its jurisdiction to produce evidence even though the act of production may violate that statute.” Société Nationale Industrielle Aerospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522, 544, n.29 (1987).

Since Aerospatiale, U.S. courts have remained, with very few exceptions, consistently hostile to concerns about foreign laws that conflict with U.S. discovery obligations.8 Following upon Aerospatiale’s guidance to courts to engage in an international comity analysis when confronted with conflicting foreign law, U.S. courts regularly weigh, among other things, the importance of the information to the U.S. proceeding; the foreign country’s national interest in its own law; the extent to which compliance with foreign law would undermine important U.S. interests; and whether violation of the foreign law would likely lead to a hardship upon the persons or entity producing the documents.9 However, these examinations generally have been perfunctory and almost inevitably lead to the conclusion that U.S. legal interests outweigh the interests reflected in European law. U.S. courts also almost always note that, despite the threat of criminal jeopardy or monetary fines, prosecutions are extremely rare, and the lack of enforcement by European authorities undermines any concerns about the potential hardship to befall any individual or company that complies with U.S. discovery demands.

A recent decision is illustrative of this approach. In Laydon v. Mizuho Bank, Ltd., 183 F. Supp.3d 409 (S.D.N.Y 2016), a group of European defendants sought relief from having to respond to plaintiffs’ discovery requests on the grounds that compliance would violate the then-existing 1995 EU Directive 95/46/EC, which was implemented in the United Kingdom as part of the UK’s Data Protection Act. Many of the key data protections provisions of the 1995 EU Directive are very similar to those found in the present GDPR.

In support of their motion, the foreign defendants submitted expert declarations from UK privacy and data protection experts, both of whom argued that the EU Directive and, thus, the UK law prohibited the production of documents in response to plaintiffs’ discovery. The Magistrate Judge agreed that a conflict between the countries’ law existed and, thus, embarked on a comity analysis. In short shrift, he determined that the information sought was important to plaintiffs’ case; that while the UK had an interest in enforcing the European data privacy provisions, U.S. interests in enforcing its own laws are superior; that the lack of an official UK government objection indicated that the foreign law interest was not particularly great; and that defendants could not point to a single instance in which the UK government pursued an enforcement action under the Data Privacy Act against any entity for responding to U.S. discovery requests. Id. at 423-26.

Against this entrenched background, there should be no reason to expect that U.S. courts will regard the terms of the GDPR as a game-changer – and certainly not one that should be allowed essentially to eviscerate the U.S. discovery system. The Europeans have long taken a different approach towards compelled – or involuntary – disclosure of information that relates to an individual. And what may have begun, at least in part, as a reflection of specific countries’ disdain for U.S. discovery – e.g., the French blocking statute – has evolved in more recent years to genuine concern about personal privacy in an era where electronic data is ubiquitous, instantly transferable across national boundaries, and subject to unknown uses or misuse. Nonetheless, U.S. courts continually have treated European privacy protection efforts as more of an annoyance to be quickly swatted away and dispelled. And while we may be seeing the beginnings of an awakening in the United States about how easily personal data can be collected and manipulated, there certainly is no indication that U.S. policymakers are considering substantial amendments to the discovery rules to address any such concerns. Hence, we all should assume that U.S. discovery as we know it is here to stay for the foreseeable future. Thus, the two legal systems are at loggerheads.

Only one thing may tip the balance – but that is going to require a very serious game of chicken. As noted above, one of the continuing themes repeated in U.S. decisions declining to defer to European or individual country laws is that there has been virtually no enforcement of those laws. The French blocking statute has only ever been enforced once – in 2007, against a French lawyer who lied to a potential French witness to get information for use in a California case, but that case did not actually involve pending discovery.10 Thus, U.S. courts continue to issue orders compelling the production of European documents, data, and ESI. Recall, however, that the GDPR significantly upped the fining authority ante. So, who is going to give way first? Will European companies stand firm behind the GDPR and either decline to produce data or seek substantial delays, thereby risking the wrath of U.S. judges – or will they elect to comply with U.S. discovery orders and risk the significant fines that can be imposed on them for non-compliance with the GDPR’s provisions? Are the European authorities really going to impose those fine despite having not done so in the past? If they do, are U.S. courts really going to continue to require compliance with U.S. discovery rules, essentially ignoring the hardships those fines represent?

The answers to these questions remain to be seen. All we can say for now is that U.S. judges over many years have consistently shown a steely determination to enforce U.S. discovery requirements against foreign nationals, and European authorities have taken no action in response either against the United States or their own citizens. Will that change? Game on!

————————-

1See Brief of the European Commission on Behalf of the European Union as Amicus Curiae in Support of Neither Party at 1 and 8, United States v. Microsoft Corp., No. 17-2 (S. Ct. Dec. 13, 2017) (hereinafter “EC Amicus Brief”). The Microsoft case concerned a warrant issued under the Stored Communications Act by a federal magistrate judge in New York for an individual’s electronic data/documents stored on a Microsoft server in Ireland and Microsoft’s refusal to comply on the grounds that the Stored Communications Act did not have extraterritorial reach. The Second Circuit subsequently agreed with Microsoft and overturned the district court decision. The U.S. government appealed the matter to the Supreme Court and oral argument was held in February 2018; however, due to new legislation that clarified the extraterritorial application of the Stored Communications Act, the appeal was deemed moot and dismissed.

7 This tension is not exclusive to Europe – other countries throughout the world also have legal systems and philosophies that conflict with U.S. discovery rules. However, as this article relates to the implications on ediscovery of the new GDPR, the discussion is limited to the tension with European law.

8 Exceptions do exist but are few and far between. See, e.g., Salt River Project Agricultural Improvement and Power Dist. v. Trench France, SAS, 2018 WL 1382529 (D. Ariz. Mar. 19, 2018) (recognizing potential hardship to French defendant due to French blocking statute and permitting discovery to proceed under the Hague Convention).

9See generally Restatement (Third) of the Foreign Relations Law of the United States at § 442(1)(c).

Deidre Diamond, CyberSN and Brainbabe Founder and CEO will be presenting. This is a MUST ATTEND event for all cyber security professionals; no matter your gender, skills, or experience. Join Us!

While garage parking is available at our office, note that we are also easily accessible by the T. From the Orange Line exit Back Bay Station and walk through the Copley and Prudential Malls to our building. From the Green Line (E train) exit Prudential Station and just walk upstairs.

]]>https://www.techtransactionstoday.com/2018/01/08/foley-lardner-hosts-brainbabe-conference-connection-kick-off/feed/0Foley to Host Roundtable: Let's Go to the Gamehttps://www.techtransactionstoday.com/2017/12/11/foley-to-host-roundtable-lets-go-to-the-game/
https://www.techtransactionstoday.com/2017/12/11/foley-to-host-roundtable-lets-go-to-the-game/#respondMon, 11 Dec 2017 18:31:12 +0000https://www.techtransactionstoday.com/?p=2148
Please join us for a roundtable discussion led by industry experts who will discuss two timely topics impacting the sports and technology industries today covering using technology to sell the live game experience in professional and collegiate sports. The discussion will take place at Foley’s New York office on January 18, 2018 from 4:00 p.m....… Continue reading this entry]]>

Please join us for a roundtable discussion led by industry experts who will discuss two timely topics impacting the sports and technology industries today covering using technology to sell the live game experience in professional and collegiate sports. The discussion will take place at Foley’s New York office on January 18, 2018 from 4:00 p.m. – 6:00 p.m. EST, followed by a cocktail reception. Topics discussed will include:

In-Arena Experience for Fans.

As the necessity for full connectivity becomes clear and fans demand a better experience, expect 2018 to be the year that a wave of digital renovation projects are made a priority. We will discuss:

More connected stadiums.

Using digital products to enhance the live game experience.

The stadium of the future.

What has experience taught us.

Ticketing Customer Analytics/Security.

With the stadium fan experience starting long before the actual event takes place, ticketing is often the first point of call for fans as the innovations taking place in this area being heavily influenced by mobile technology. Ease of purchase and delivery; system benefits and costs; data collection are all important aspects of getting fans to the stadium/arena, in the seats they want and enabling teams to turn one-time purchases into devoted fans. We will discuss:

Ticketing technology solutions.

Merging the buying experience with amenity features.

Gathering, analyzing and using consumer data.

Security and mobile technology.

General Discussion

What solutions are working? Where is the technology headed? In what new solutions should teams invest?

What is the fan feedback and demand for technology?

What have other industries taught sports? Where do sports lead?

Speakers

Christopher Heck, President of Business Operations, Philadelphia 76ersJoe Choti, President and Chief Executive Officers, Tickets.com and ProVenue

This program is hosted by Foley’s Chambers-recognized Sports Industry Team.

]]>https://www.techtransactionstoday.com/2017/12/11/foley-to-host-roundtable-lets-go-to-the-game/feed/0Companies Outside Retail and Financial Industries May Have Additional Arguments to Challenge Standing in Data Breach Caseshttps://www.techtransactionstoday.com/2017/12/06/companies-outside-retail-and-financial-industries-may-have-additional-arguments-to-challenge-standing-in-data-breach-cases/
https://www.techtransactionstoday.com/2017/12/06/companies-outside-retail-and-financial-industries-may-have-additional-arguments-to-challenge-standing-in-data-breach-cases/#respondWed, 06 Dec 2017 19:44:06 +0000https://www.techtransactionstoday.com/?p=2142
The data breach at the U.S. Office of Personnel Management was one of the most serious and possibly one of the top 10 largest data breaches of the 21st century, compromising background investigation records for some 22 million current and former federal employees. But a class action lawsuit brought on behalf of those employees was...… Continue reading this entry]]>

The data breach at the U.S. Office of Personnel Management was one of the most serious and possibly one of the top 10 largest data breaches of the 21st century, compromising background investigation records for some 22 million current and former federal employees. But a class action lawsuit brought on behalf of those employees was recently dismissed for lack of Article III standing. In that case, In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig.[1] (“OPM Data Security Breach”), the U.S. District Court for the District of Columbia concluded that, with the exception of two employees who had incurred unreimbursed out-of-pocket expenses to remedy actual identity theft, the named plaintiffs failed to establish injury-in-fact.[2] The court reached this conclusion even with respect to plaintiffs who had incurred fraudulent charges (for which they ultimately did not have to pay), who alleged that they had suffered stress due to a fear of identity fraud, and who had purchased credit monitoring services. The court was influenced by reports that the breach had been perpetrated by the Chinese government, and did not jeopardize the kind of credit card or other financial information that could be useful in committing credit card fraud.[3] Thus, the court in OPM Data Security Breach was not willing to make assumptions about the likelihood of future harm, although such claims are routinely made (albeit with mixed success) in the context of retail and financial establishment breaches that involve a theft of credit card information.[4]

Even with respect to the two plaintiffs in OPM Data Security Breach who had incurred unreimbursed expenses to rectify actual identity theft, the court found that the complaint did not plausibly allege a connection between the data breach and the claimed harm.[5] The court observed that all those plaintiffs could point to regarding the required nexus was that the data breach had preceded the identity theft. But the court was not ready to presume that the theft was not done by other criminals or as a result of some other data breach, particularly where around 3.3 percent of general population will experience some form of identity theft, regardless of the sources, and in this case, identity theft had affected only 0.00009 percent of individuals.[6] Similarly, because the court did not believe that the identity theft was impending, the court was not swayed by the out-of-pocket expenses some of the employees had incurred for credit monitoring services.[7]

The OPM Data Security Breach matter illustrates that standing remains a robust defense in data breach cases, particularly in cases that do not involve a breach of financial information. Other recent cases exemplify this principle. For example, in K.R Stapleton on behalf of C.P. v. Tampa Bay Surgery Ctr., Inc.,[8] a federal district court in Florida recently tossed a lawsuit against a medical center arising out of a data breach exposing information of over 142,000 of its patients.[9] The information, which was posted on a public file-sharing website, included children’s names, dates of birth, home addresses, and social security numbers.[10] In dismissing the case for lack of standing, the Court relied on the absence of any suggestion that the information has actually been misused for any of the 142,000 patients affected.[11] The court also found that the alleged imminent nature of harm was mitigated because the defendant provided free credit monitoring, including a credit lock service, for everyone affected by the breach.[12] Thus, because patients would suffer actual harm only if a series of unlikely events were to occur (including that the credit lock would somehow be inadequate to prevent information misuse), the threshold of impending injury or substantial risk that harm would occur was not met.[13]

Finally, earlier in the year, in Foster v. Essex Prop., Inc.,[14] yet another court dismissed a class action against a real estate management company related to a data breach that compromised information of the company’s tenants, including their rental applications and files. Although the named plaintiffs were able to point to unauthorized charges on their credit cards, defendant rebutted a causal connection between these charges and the breach by submitting affidavits attesting to the fact that plaintiffs’ credit cards and other personal information had not been stored on the company’s system and, in fact, plaintiffs never paid rent using a credit or debit card.[15] Based on this unrebutted evidence, the court concluded that the data breach could not have been the cause of unauthorized charges, and dismissed the case.[16]

Cases in the data breach context frequently harken back to the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA.[17]Clapper involved a constitutional challenge to a provision of the Foreign Intelligence Surveillance Act of 2008 (“FISA”), allowing the United States to conduct foreign intelligence surveillance without having to meet some requirements of traditional FISA surveillance. The respondents, a group of international organizations, lawyers, and media personnel, asserted they were likely to be targets of surveillance and thus had standing to sue. The high court disagreed, finding it speculative whether the Government would target communications to which the respondents were parties, particularly where they did not allege that the Government ever sought approval for surveillance of their communications, did not explain how the Government chooses its targets, and speculated whether the FISA court would authorize such surveillance and the surveillance would ultimately be successful.[18] Notably, even though some of the challengers had taken costly and burdensome measures to protect confidentiality of their communications, the Supreme Court rejected the assertion of standing on this basis, noting “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”[19]

The application of Clapper in the data breach context has varied among different courts. See, e.g., In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *12 (N.D. Cal. Aug. 30, 2017) (holding that plaintiffs established standing because they suffered an increased risk of future identity theft as a result of data breaches); In re SuperValu, Inc., 870 F.3d 763, 772 (8th Cir. 2017) (finding that although allegations of future injury are insufficient, the named plaintiffs alleged a present injury-in-fact because they suffered a fraudulent charge on the credit card used to make purchases at defendants’ stores affected by the data breaches). Still, the recent decisions in OPM Data Security Breach, Tampa Bay Surgery and Foster bolster Clapper’s rationale and hesitation to infer imminent injury and causation with a breach, particularly as applied to defendants outside the retail or financial services industry. Even companies that do collect credit card and other similar financial information should explore whether the named plaintiffs’ files indeed included the type of information that could lead to identity theft and unauthorized charges, to evaluate a potential challenge to redressability and causation in the named plaintiffs’ cases.

]]>https://www.techtransactionstoday.com/2017/12/06/companies-outside-retail-and-financial-industries-may-have-additional-arguments-to-challenge-standing-in-data-breach-cases/feed/0The Impact of Employee Training on Cybersecurity Breacheshttps://www.techtransactionstoday.com/2017/12/05/employee-training-impact-on-cybersecurity-breaches/
https://www.techtransactionstoday.com/2017/12/05/employee-training-impact-on-cybersecurity-breaches/#respondTue, 05 Dec 2017 19:58:26 +0000https://www.techtransactionstoday.com/?p=2139
Every organization is exposed to information security threats daily. It is essential that organizations have an information security protection program that is properly designed, documented, executed, and updated to minimize exposure to information loss, disruption of operations, and liability to third parties and regulators. An effective cybersecurity risk management program requires an effective governance structure...… Continue reading this entry]]>

Every organization is exposed to information security threats daily. It is essential that organizations have an information security protection program that is properly designed, documented, executed, and updated to minimize exposure to information loss, disruption of operations, and liability to third parties and regulators. An effective cybersecurity risk management program requires an effective governance structure based on the organization’s risk appetite — just like the company would create for any other material risk. While the components of a cybersecurity risk management program may vary from organization to organization, certain key elements are generally common to all effective programs. One such element is the importance of user education, awareness, and training.